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                  House of Representatives,
                       Committee on Armed Services,
        Terrorism, Unconventional Threats and Capabilities 
                                              Subcommittee,
                            Washington, DC, Tuesday, April 1, 2008.
    The subcommittee met, pursuant to call, at 3:06 p.m., in 
room 2212, Rayburn House Office Building, Hon. Adam Smith 
(chairman of the subcommittee) Presiding.

  OPENING STATEMENT OF HON. ADAM SMITH, A REPRESENTATIVE FROM 
  WASHINGTON, CHAIRMAN, TERRORISM, UNCONVENTIONAL THREATS AND 
                   CAPABILITIES SUBCOMMITTEE

    Mr. Smith. Good afternoon. I think we will go ahead and get 
started.
    There is only going to be one set of votes today. 
Regrettably, it is likely to happen right in the middle of our 
hearing, so we will just deal with that.
    As we understand, Dr. Goodman has a time constraint. 
Hopefully we will be able to accommodate that.
    And you have someone who can sit in for you if you are 
forced to leave. We will try to get at least your statements in 
and, you know, get some questioning through and just break when 
we have to.
    I want to call the meeting to order, first of all, welcome 
everybody here. I thank Ranking Member Thornberry for being 
here and for our witnesses.
    I will do introductions, say a few brief words, and then 
turn it over to Mr. Thornberry for any comments he might have 
before taking the testimony from the witnesses.
    But I want to thank Dr. Seymour Goodman, who is the Chair 
of the National Research Council Committee on Improving 
Cybersecurity Research in the U.S.
    Welcome.
    Dr. James Lewis, Director and Senior Fellow for the 
Technology and Public Policy Program at the Center for 
Strategic and International Studies, better known to all of us 
on the Hill as CSIS.
    And Mr. Franklin Kramer, who is a distinguished Research 
Fellow at the Center for Technology and National Security 
Policy at the National Defense University.
    Thank you for being here.
    The topic of the hearing is cybersecurity, and we look 
forward to learning from all of you how we can better deal with 
it. I know what we are trying to do here and I know the effort 
of the Administration and more broadly in the cybersecurity 
community is to have a holistic approach to what we are talking 
about.
    Obviously, there are the basics. You don't want anybody 
messing with your network, and you try to set up the best 
firewalls and passwords and blocks to anyone getting into that 
network. But, as we know, that alone doesn't do the job. Our 
networks throughout the military are violated on probably a 
daily basis, if not more often, to one degree or the another, 
sometimes harmless, sometimes not. So we really need to develop 
a better strategy for preventing that.
    A piece of that, obviously, is improving our technology, 
improving the quality of the software that we come up with to 
protect against our networks being invaded. But the other piece 
of it is that there is a human element to it too. How can we 
get the best and the brightest people to be working on our 
systems? Do we pay them enough to attract them and compete with 
the private sector to get them here? And then how can we also 
set up the physical environment where our computer networks are 
to make sure that we are stopping any access that way, to make 
sure we know who has access to those varied computers, how the 
passcodes are set up.
    I suppose I shouldn't say this in a public hearing, but 
just in my own little life, I have so many security codes for 
so many different things, I tend to use the same one or two or 
three passwords. If somebody spends just a little bit of time, 
they could figure out what those are, and have a 33 percent 
chance with each guess of getting it. We don't want that same 
thing to be happening with some of our more secure networks.
    So what we are really focused on here this afternoon, then, 
is the holistic approach. And we appreciate folks from out in 
the think-tank world giving us their ideas on how we can do 
that and then apply those to the Pentagon's efforts.
    And, with that, I will turn it over to Mr. Thornberry for 
any comments he might have.
    [The prepared statement of Mr. Smith can be found in the 
Appendix on page 29.]

STATEMENT OF HON. MAC THORNBERRY, A REPRESENTATIVE FROM TEXAS, 
     RANKING MEMBER, TERRORISM, UNCONVENTIONAL THREATS AND 
                   CAPABILITIES SUBCOMMITTEE

    Mr. Thornberry. Thank you, Mr. Chairman. And I agree with 
you that it is critical that we have a holistic approach. In 
some ways, I think some of the cyber issues are indicative of 
some of the future security issues we are all going to face. It 
is not just a military function. It is not just a governmental 
function. And yet it has profound implications for our national 
security and, therefore, requires attention from all of us.
    This subcommittee, from its beginning, has spent a fair 
amount of time looking at information technology the Pentagon 
was trying to procure, including information assurance. We have 
gotten to the point where I believe cyber is a domain of 
warfare and, therefore, deserving of our attention. Our job is 
to try to understand where we are and why it matters and then 
what directions things are moving and then what we need to do 
about it.
    I appreciate the written testimony of the witnesses, 
particularly where you made specific suggestions about 
organizational changes or policy changes, technology. People 
was emphasized in a number of them. This subcommittee does not 
have jurisdiction to solve all of those things, but it is 
important for us to understand all of those things. And 
hopefully we and other colleagues can do what is necessary to 
protect the country.
    So I appreciate you all being here and look forward to our 
exchange.
    Mr. Smith. Thank you very much.
    I will now begin the testimony with Dr. Goodman.

  STATEMENT OF DR. SEYMOUR GOODMAN, CHAIR, NATIONAL RESEARCH 
 COUNCIL COMMITTEE ON IMPROVING CYBERSECURITY RESEARCH IN THE 
                              U.S.

    Dr. Goodman. Thank you very much.
    Mr. Chairman, distinguished members of the subcommittee, 
thank you for the opportunity to appear before you today to 
discuss the subject of holistic or comprehensive approaches to 
cybersecurity enabling network-centric operation.
    I am Sy Goodman. I am professor of international affairs 
and computing at the Sam Nunn School of International Affairs 
and the College of Computing at Georgia Tech. I recently served 
as chair of a committee of the National Research Council on 
Cybersecurity Research in the United States, and we produced a 
report entitled, ``Toward a Safer and More Secure Cyberspace.'' 
We have a copy for all.
    And I would also like to introduce--accompanying me today 
is Dr. Herbert Lin, who is sitting behind me. He is the chief 
scientist for the Computer Science and Telecommunications Board 
of the National Research Council. And as I have to leave around 
4:15, 4:30 to go to Zurich, he may take over for me, as 
necessary.
    Mr. Smith. That is a long way to go.
    Dr. Goodman. Long way to go. Just came back from Ethiopia, 
which was an even longer way to come.
    Net-centric operations are the concept under which U.S. 
military forces and mission partners have rapid access to 
relevant, accurate and timely information and also the ability 
to create and share the knowledge required to make superior 
decisions in an assured environment amid unprecedented 
quantities of operational data.
    These capabilities will depend heavily on modern 
information technology, but commanders must be able to count on 
their availability when they need them, must believe that they 
are providing uncompromised information, and must know that 
adversaries do not have advanced knowledge of ensuing military 
activities.
    My remarks will focus on the link between cybersecurity and 
net-centric operation. Given the need for such operations to be 
conducted in a secure environment, the U.S. must do at least 
two things.
    The first could be characterized as do what you already 
know how to do. Many good cybersecurity technologies and 
practices today are not being implemented, and the widespread 
deployment of even relatively unsophisticated security measures 
can make it more difficult for an adversary to conduct a cyber 
attack.
    The second could be characterized as learn more about how 
to be secure. That is, even assuming that everything known 
today was immediately put into practice, the resulting 
cybersecurity posture, though better than what we have today, 
would still be inadequate against today's threat, let alone 
tomorrow's. And I can assure you the threat is evolving and 
becoming more serious. Reducing this gap will require 
substantial and sustained investments in research.
    To illustrate my description of necessary cybersecurity 
research, consider the story of the USS Yorktown, an Aegis 
cruiser that was the Navy testbed for Smart Ship technology in 
the late 1990's and an important element of the Navy's concept 
for network-centric operations. A widely used commercial 
operating system was installed on the Yorktown to control a 
variety of important shipboard applications, including 
navigation and propulsion. In September 1997, a crewman 
mistakenly entered an invalid number into a database. He 
thereby caused a divide-by-zero error that crashed the network, 
and the ship was left dead for several hours in the water.
    What are some of the reasons for cybersecurity research 
that might be drawn from this episode? First, net-centric 
operations may have a very intimate connection to commercial 
information technology. The Department of Defense (DOD) 
reliance on commercial IT for all kinds of functions means that 
insecurities in the commercial IT base may have a potentially 
devastating effect on vital military operations.
    Second, humans are part of any IT system. One might argue, 
as the Navy did at the time, that it was therefore human error 
that crashed the network rather than a problem with the network 
itself. But because cyber adversaries are likely to be smart, 
inducing human error is a strategy that an adversary might well 
employ.
    Third, the testbed could have been designed to provide a 
backup means for controlling ship propulsion so that a crashed 
network would not leave the ship dead in the water. A decision 
to do so would not have depended on detailed knowledge of 
cybersecurity but, rather, on a philosophy of system design 
that anticipates failures and provides for ways for mitigating 
their impact.
    Finally, the Yorktown was a testbed for new technology, 
and, thus, one might argue that failure should be expected. But 
testbeds often have a way of turning into production systems. 
That is, even though we build testbeds thinking that we will 
start over once we get serious about real-world application, in 
practice the design concepts from these testbeds often remain 
embedded in the new generation. Thus, understanding how to 
provide security for legacy systems is a vital dimension of 
cybersecurity research.
    These comments are not intended to diminish the 
conceptualization of cybersecurity as a technological problem, 
because in many ways it is a technological problem. One of the 
six categories for research outlined in our report is blocking 
and limiting the impact of compromise. Although this category 
is relatively traditional, it also includes research on how to 
understand and contain the damage from a penetration and how to 
recover quickly from a successful attack. Because absolute 
security of an information system never can be guaranteed, 
research is needed so that recovery from a successful attack 
can be accomplished as expeditiously as possible.
    But cybersecurity is not only a technological problem. This 
is a very important statement from a group like ours that is 
composed largely of some of the most serious and accomplished 
technical people in the country.
    Consider, for example, that today a great deal of security 
functionality is often turned off, disabled, bypassed, 
underutilized or not deployed because it is too complex for 
individuals and enterprise organizations to manage effectively 
or to use conveniently. It is easy to believe that in military 
organizations a senior commander can simply order his 
subordinates to comply with all necessary security measures. To 
some extent, this is true. Nevertheless, under the pressure of 
combat operations, it is often the case that faithful execution 
of security procedures gives way to mistakes and the expediency 
of circumventing those procedures if they are cumbersome. Thus, 
good cybersecurity construed in purely technological terms may 
well be ineffective in an operational context.
    Our report includes a category focused on promoting 
deployment and effective use of cybersecurity technologies, and 
this category includes research on technology that facilitate 
ease of use by both end-users and system implementers, 
incentives that promote the use of security technologies in the 
relevant context, and the removal of barriers that impede such 
use. Measures to provide incentives and to remove barriers to 
the use of security technologies and procedures may have legal, 
economic, psychological, social and organizational dimensions.
    Consider also that net-centric operations, broadly writ, 
depend dramatically on increased access and functionality 
afforded by modern information technology. But increased access 
also multiplies the routes through which adversaries can 
attack, and increased functionality requires ever more complex 
systems that are inevitably--and I emphasize inevitably--
riddled with vulnerabilities. From a security standpoint, the 
consequence has been that our increasing dependence on these 
technologies provides formerly weak adversaries with 
unprecedented opportunities for attacking us.
    In response, we need to reduce the likelihood that an 
adversary will succeed in penetrating our cyber defenses and to 
increase the ability to recover from successful penetration of 
those defenses. But a third logical possibility, also addressed 
in the report, is to design systems so that critical activities 
can take advantage of advanced information technology whenever 
possible but do not require such technology in order to 
basically function.
    In some cases, this may mean providing adequate backup in 
case the technology has been compromised. In other cases, it 
may mean foregoing some of the advantages afforded by network-
centric operations because the risk is just too great to 
manage, even with backups in place.
    Finally, I was asked to comment on coordination within the 
Federal Government of cybersecurity research. It was our 
impression that the scope and nature of cybersecurity research 
across the Federal Government were not well-understood, that no 
entity within the--and this is with all due respect to a lot of 
very good people who are working these problems within the 
Government. But the scope of what we were concerned with was 
really much larger than what some of them can basically put 
under their domains. And then no entity within the Federal 
Government had a reasonably complete picture, including 
classified and unclassified, of the cybersecurity research 
effort that the Government supports from year to year.
    The report argues for a sustained, coherent and 
comprehensive approach to cybersecurity research. And the lack 
of a mechanism for drawing this complete picture suggests that 
the U.S. Government is not well-organized for supporting such 
an approach, much less in welding the results together to 
comprehensively make cyberspace safer and more secure.
    I thank you, and I will try to answer any questions that 
you may have.
    [The prepared statement of Dr. Goodman can be found in the 
Appendix on page 30.]
    Mr. Smith. Thank you, Dr. Goodman.
    Dr. Lewis.

   STATEMENT OF DR. JAMES ANDREW LEWIS, DIRECTOR AND SENIOR 
FELLOW, TECHNOLOGY AND PUBLIC POLICY PROGRAM AT THE CENTER FOR 
           STRATEGIC AND INTERNATIONAL STUDIES (CSIS)

    Dr. Lewis. Thank you for the opportunity to testify.
    As you know and as we heard from Representative Thornberry, 
we have seen new domains for conflict emerge in the last 
decade. Cyberspace is perhaps the most interesting of these new 
domains because the cost of attack is low and because it has 
been an area of significant U.S. vulnerability that our 
opponents have exploited.
    Computer networks and information technology can improve 
performance for both businesses and for militaries when they 
are used to provide better information and coordination. We are 
just beginning to develop the organizational structures and 
tactics that can make full use of the new technologies to 
provide informational advantage.
    But at the same time, these technologies have created 
vulnerabilities. Our opponents have seized the opportunity 
presented by these vulnerabilities to engage in an extensive 
espionage campaign against the United States.
    It is also possible that when intruders access U.S. 
computers to steal information, they leave something behind. We 
cannot say that a network that has been penetrated has been 
infected with hidden malware that could be triggered in a 
crisis.
    China and Russia are the most dangerous of our opponents. 
China has resources and is willing to spend them. Russia has 
experience and skill. However, China and Russia are not the 
only nations interested in cyber warfare, nor are nation-states 
our only opponents. The emergence of a skilled cyber-crime 
community has serious implications for U.S. security.
    While we have underestimated the risks of espionage and 
cyber crime, the risk of cyber terrorism is overstated. 
Terrorists make extensive use of the Internet, but cyber 
weapons are not yet sufficiently lethal to attract their use.
    Last year, we crossed a threshold in cyber attacks with 
noisy demonstrations launched by a foreign intelligence service 
against Estonia and with massive sustained attacks on U.S. 
Government networks and the networks of allied countries. These 
attacks prompted the U.S. to begin a major new initiative to 
secure Government networks. Many of the initiative's elements 
are highly classified, but we know that it allocates more money 
and personnel to cybersecurity and directs a number of actions 
by different agencies.
    These are positive steps, but difficult issues remain. One 
such issue is coordination with the private sector. We need to 
rethink how the Government interacts with the private sector on 
cybersecurity.
    Another issue is international cooperations. Attacks come 
over a global network. A national effort can only provide part 
of the solution. The U.S. will need to work with its allies and 
perhaps even with our adversaries to improve cybersecurity. 
Better international security could deter cyber crime. In some 
countries, criminals face little risk of prosecution. Only 
international cooperation will change this.
    Other forms of cyber deterrence, however, are less 
practical. It is difficult to deter if you cannot predict the 
degree of collateral damage to innocent networks. It is even 
more difficult to deter if you do not know who is attacking. 
The Internet is too anonymous and too easily deceived. The 
attacks on Estonia highlighted the problem of anonymity. 
Identity management must be improved for better cybersecurity.
    Federal organization, as of course you know, remains a 
problem. There is no agency fully responsible for 
cybersecurity. Better organization is crucial.
    Federal organization, strategy, coordination with the 
private sector and allies--these and other issues remain 
challenges despite the progress made by the President's 
cybersecurity initiative.
    Much can be done in the time left in the Administration, 
but much will be necessarily remain unfinished. Presidential 
transitions are a moment of opportunity. The first year of the 
next Administration will provide an opportunity to take the 
cybersecurity initiative and advance it.
    To help the new Administration think about this 
opportunity, the Center for Strategic and International Studies 
has established a nonpartisan commission on cybersecurity for 
the 44th presidency. Our goal is to look at cybersecurity as a 
problem for national security. It has often been regarded as 
kind of a boutique issue, and I think it is time to recognize 
that it has moved well beyond that. We hope to develop 
recommendations for a comprehensive strategy for Federal 
systems and critical infrastructure, and we want to explore new 
ways the Government can engage with the private sector.
    CSIS intends to make the work of the commission an 
inclusive process and has asked other experts and groups to 
participate in the development of recommendations and to make 
presentations on substantive issues.
    To summarize, the attackers have the advantage in 
cyberspace. The U.S. is behind the curve. The Administration's 
initiative is good, but it won't be finished by the time they 
leave office. A new Administration will inherit both challenges 
and opportunities. Our hope is that CSIS can help identify some 
of these opportunities.
    When we think about network-centric activities, the U.S. 
has a clear advantage, but this advantage is eroded by our 
uneven approach to cybersecurity. We will never have perfect 
security, but we can reduce the opportunities for our opponents 
to gain advantage against us.
    I thank the committee and will be happy to take any 
questions.
    [The prepared statement of Dr. Lewis can be found in the 
Appendix on page 58.]
    Mr. Smith. Thank you very much.
    Mr. Kramer.

STATEMENT OF FRANKLIN D. KRAMER, DISTINGUISHED RESEARCH FELLOW, 
 CENTER FOR TECHNOLOGY AND NATIONAL SECURITY POLICY, NATIONAL 
                       DEFENSE UNIVERSITY

    Mr. Kramer. Thank you, Mr. Chairman and members of the 
committee. I am very happy to be here.
    Like my colleagues and like the Chairman and the ranking 
member, I think that cyber needs to be looked at as part of 
what I would call an effective national and international 
framework as part of an overall national security strategy.
    And I think we also need to make sure that when we think 
about cyber, we don't simply equate it with the Internet, 
although that is certainly part of it. But, as people have 
mentioned, military networks, but also influence operations 
like TV and radio, cell phones, applications and the like. So 
it is a big world out there; it is not just an Internet world.
    And we also need to think about the fact that it has 
changed so much in the last 10 years, we ought to be expecting 
that it will change a great deal in the next 10. And so 
whatever frameworks we create, we want to make sure that they 
are not constraints on the expansion of cyber but that they 
enhance the expansion of cyber. So it needs to be an adaptive 
approach rather than a static one.
    On the security side, as the committee's title for this 
hearing indicates, I agree, it really needs to be holistic. We 
need to look at organization. We need to look at classic 
security. We need to look at R&D and funding, I think 
deterrence, network-centric operations and international, all 
of which have been suggested.
    My first recommendation to the committee is that there 
really needs to be created within the executive branch a new 
organization that would take a holistic look at the cyber set 
of issues. It probably ought to be at the White House level. In 
my opinion, it ought to be something along the lines of the 
Council of Economic Advisors, which is a policy organization, 
not an implementing organization. And it ought to look at and 
have the ability to deal with the multiple problems, the 
multiple arenas, the multiple authorities, to integrate and 
also to integrate with the private sector.
    There is no place in the Government that now does this. And 
in the absence of an overall approach, everyone is trying to do 
the best they can, but it is not coordinated. And, therefore, 
the sum of the parts is far less than what the whole ought to 
be.
    If you had that organization, then you really could look at 
what I might call the classic security kinds of questions. And 
there we all know that cyber is not secure; that is perfectly 
clear. The question is, how much risk do we want to take, and 
what is the relationship between the security and the 
functionality that we want to adopt?
    If you think about it, the more Internet sites you go to, 
the greater chance you have to downloading a virus. But if you 
don't go to Internet sites, you don't make use of the Internet. 
So there is a trade-off. I mean, you need to think about that 
and not expect to have 100 percent security throughout, but 
some areas you might really want to do it.
    In my opinion, where we are on cyber is a little bit like 
where we were in the early 1970's with respect to the 
environment. We know there is a problem, and we are just 
starting to create the framework. And I think that the 
Government really needs to take what I would call a much more 
directed approach to cyber and take, I would call it, a 
differentiated security approach.
    There are some areas that I think are just indispensable 
networks; some key military networks are indispensable. We 
really can't afford to lose those at all for any period of 
time. There are other networks that I would call key--I mean, 
just my words--and they might be the electric grid or certain 
parts of the financial arena or maybe the communications grid. 
I mean, we have had the electric grid go down for other reasons 
for a short period of time, but if it went down for a long 
period of time, that would be catastrophic. And then the rest, 
if you will, of cyber, and you might differentiate between say 
an individual, a small business and businesses.
    If you think about those three different elements, for the 
indispensable areas, I think the Government needs to provide 
the security. It needs to do the monitoring, it needs to create 
the possibility of response, it needs to create resilience, it 
needs to do reconstitution. It does the whole nine yards. For 
something I would call key, you are going to have a public-
private involvement. So you have to work closely there, but the 
Government might also provide some of the security and provide 
some of the monitoring and the like. And then for the rest, the 
Government can encourage and incentivize and the like.
    Now, as soon as you get into the private sector, you are 
immediately going to have very important privacy and civil 
liberty questions which this committee and other committees in 
the Congress have raised. So there really needs to be a 
dialogue on this with industry, with the American people, with 
the executive branch. And this committee could start that 
dialogue.
    But the upshot of what I am saying is that we really need 
to think that we are going to spend some time--and it will take 
several years, just like it did with the environmental area--to 
create the statute, the regulations and the framework that 
would allow you to appropriately protect the indispensable, the 
key and the other networks.
    Part of what you need to do to do that, I think, is to 
create what I would call national cyber laboratories. We don't 
really have those now. We have national laboratories for 
nuclear. We have national laboratories for energy. We ought to 
have national laboratories for cyber. It is a whole new world, 
and we ought to think about it. Private sector does a lot of 
good research, very good research, but it is focused, 
appropriately, on the profit motive, because that is what the 
private sector is about. The DHS's cyber R&D budget for last 
year was less than $50 million. That is really not quite 
enough.
    So I would suggest a three-part approach, where we increase 
funding to agencies like the DHS, more funding for R&D, we 
incentivize the private sector and use them for Government-type 
research, but we also create a national laboratory-type 
structure. And, again, I think this committee could think about 
that.
    We ought to also, as you think about security, not to only 
think about the defense. We have spent a lot of time thinking 
about deterrence, and I think that deterrence is more possible 
in the cyber arena than most people think. And I think there 
are four things that I would propose for you.
    First of all, one shouldn't think about cyber deterrence as 
just cyber versus cyber. I can't think of anything really 
relatively more dumb than if somebody attacks you, to go and 
burn out his computer. He is going to have a second computer on 
his desk. What we really need to think about is deterrence in 
the context of overall deterrence--political, military, 
economic and cyber--and then think about what the appropriate 
responses would be.
    We need to differentiate state from nonstate actors, 
because a state actor normally acts for political movies, and 
you can think about ways to deter those political motives.
    We would probably want to think about different thresholds. 
If it is a very large attack, we are certainly going to respond 
strongly, and we should respond strongly. A smaller attack, 
perhaps it is a law enforcement opportunity.
    And then, as was already raised, we really need to do work 
on attribution. I think we are a little better than some people 
think we are, but there is no question whatsoever that we need 
R&D on attribution. And we also need a governing structure, an 
international structure that allows for attribution and also a 
framework in which to respond. So, for example, what is NATO 
going to do if there is an armed attack? Estonia was a wake-up 
call, but what about the next time? How are we going to deal 
with these things?
    A number of people have already raised the network-centric 
operations problem. We rely on it. I was in the Defense 
Department twice for President Clinton's Assistant Secretary 
for International Security Affairs. I couldn't possibly more 
strongly support network-centric operations. But it does create 
a vulnerability. It means that people can have asymmetric 
attacks against us.
    So what should we do about that? I think we need to do a 
lot more red teaming, vulnerability assessments. I think we 
need to figure out how to do what I would call blue teaming. 
How do you operate degraded? Cyber is not the first area where 
we would think that we would operate in less than perfect 
conditions, and we need to figure out how to operate with which 
you might call mission assurance. And, as has already been 
suggested, research and development on this area is very 
important; building that concept of vulnerability into the 
acquisition cycle and deciding which risks one wants to take 
and which risk one wants to avoid and making that requirement. 
And, again, this committee could raise that kind of question.
    And the last point I would make is the international point. 
There is no point in thinking about cyber from a national point 
of view, because cyber simply isn't just national. It is 
national, but it is national integrated into the international 
arena.
    So we need to do a number of things. I mentioned NATO 
already. We need to create a dialogue about what constitutes an 
attack within the meaning of the treaty or even not within the 
treaty but just, what should NATO do? There is going to be some 
statements about cyber made at the summit that is ongoing right 
now, but those are just first steps, so we really need to do 
more.
    We need to think about an international governance 
structure. The current governance structure for cyber, 
particularly the Internet, is historical but not logical. There 
are a lot of countries who are pushing at that governance 
structure. That is not a reason to change it; it has actually 
worked well for us. But they will push at it, and we don't have 
a good structure to support us in the security arena. We don't 
have a good structure to help on the law enforcement side. We 
might want to expand, for example, the European Convention on 
Cyber Crime, have more countries develop it. So the last point 
I would make is that we need to think about cyber 
internationally.
    With that, let me finish, Mr. Chairman, and I would be 
happy to answer your questions.
    [The prepared statement of Mr. Kramer can be found in the 
Appendix on page 65.]
    Mr. Smith. Thank you, Mr. Kramer.
    Before we take questions, we did have a statement for the 
record submitted by the Director of Defense Information Systems 
Agency. Without objection, we will put that into the record for 
the hearing.
    [The information referred to can be found in the Appendix 
on page 81.]
    Mr. Smith. With that, I want to award the members of the 
committee for showing up. And I will pass, actually, on my 
questions. And Mrs. Gillibrand is first on our side, so I will 
yield my time to her to ask the first questions.
    Mrs. Gillibrand. Thank you, Mr. Chairman.
    I liked your idea of a national laboratory for 
cybersecurity. Is that consistent with having a Cabinet-level 
position for cybersecurity, or would that be done separately?
    Mr. Kramer. I think you could do the two in parallel. In 
other words, the national laboratories, say, for energy are 
actually run, to some extent, by universities, but you still 
have a Cabinet-level Energy Department.
    I think what you would want to think through is you would 
want to look at the places, some of which were mentioned, where 
work is being done and decide whether the best way to do it is 
to expand on current activities or do you really want to create 
a whole new activity. And you might--I am going to make a guess 
here--you would probably end up using some of what already 
exists and then creating some new ones. And I probably wouldn't 
just have one; competition is usually good.
    Mrs. Gillibrand. Because right now I think the majority of 
our research and development is through the armed services, 
particularly through the Air Force right now. So would this be 
something we are doing in complement with the Air Force? Or 
would it be something that would be done instead of? Please 
give me more detail about what you envision would be your ideal 
scenario.
    Mr. Kramer. I love the Air Force. I don't think--and it has 
created the Cyber Command, but it is early days. And I think 
that a lot of people are doing a lot of efforts and 
particularly at----
    Mrs. Gillibrand. Would you consolidate that all under this 
one Cabinet position?
    Mr. Kramer. I wouldn't. I think what I would be inclined to 
do, as I said, is create laboratory--I am going to call them 
communities, maybe like Los Alamos or Livermore and the like. 
But in parallel to those kinds of activities, I would also 
probably have the more functional efforts by the services that 
would be more focused on, if you will, the applications.
    And one of the reasons, at least from my perspective, is 
because we don't really know all of the places where we are 
going to go and we don't really know necessarily how to get 
there. I mean, Dr. Goodman and his group proposed a very 
extensive program of research and development. I would like to 
have a lot of people work on that.
    Mrs. Gillibrand. Uh-huh. In terms of if--well, you have all 
briefed various aspects. Obviously, there is the military 
concerns of cybersecurity and attacks from either a state actor 
or a nonstate actor. And that has separate questions of whether 
we have to adjust the laws of armed conflict to reflect these 
types of attacks and how we would retaliate. And you raised 
those questions, which I would like to perhaps hear more about 
your views.
    But the other types of attacks, whether it is on civilian 
targets, such as our electric grid, such as our water systems, 
such as any chemical plant or nuclear plant or any 
infrastructure, to the extent that work is now being done 
solely under the military, is your view that the reason why you 
have this Cabinet-level position so that you would have another 
avenue for addressing not only research and development but for 
creating plans of action for national security on, perhaps, 
areas that are not necessarily typically under the purview of 
our military; they are not more under the purview of Governors 
and States and civilian control issues?
    Mr. Kramer. And the Department of Homeland Security (DHS), 
as you know, has a substantial role in cyber protection. So it 
really is a combination, in some sense, of the military and 
DHS.
    But the short answer to your question is yes. The reason I 
would like to have an overall look at it is because I don't 
think that we are really taking, to use the committee's word, a 
holistic look. And I think the only place you can do that is if 
you have someone that has the Presidential perspective and then 
can focus on where resources need to go--we don't have infinite 
resources--and how they might coordinate and the like.
    For a time, there was an office in the National Security 
Council that did some of this, and I just think that there 
needs to be a White House perspective.
    Mrs. Gillibrand. Uh-huh. In terms of, you know--I would 
like, Dr. Goodman and Dr. Lewis, your thoughts on these as 
well--in terms of their idea about having public-private 
relationships, particularly perhaps the R&D stage, over the 
next 5 years, where we are trying to get the brightest minds in 
the entire country focused on cybersecurity, defensive postures 
and the other issues that have been brought up, if you do that, 
what would be your top recommendations about how to do that and 
how to be able to keep the security levels that are necessary?
    You know, one thing I have been challenging our military 
leaders on is, how do you expect to recruit the minds and the 
young folks that are coming out of these great engineering 
universities around our country to join the military, to have a 
military training and mission to do this kind of work?
    And so one obvious answer is you recruit but you also 
create public-private partnerships in the meantime to get the 
best minds. Just quick thoughts on that, and then I have to 
return it to the Chairman.
    Mr. Kramer. Want to jump in there?
    Dr. Lewis. Go ahead.
    Dr. Goodman. There is a very broad range of possible 
answers to what you have asked. Let me just bring up a couple 
of examples of how to respond to the range of questions that 
you have.
    The fact of the matter is that, in this country and in most 
of the world, these enormous infrastructures that we will 
collectively call cyberspace are largely owned and operated by 
the private sector. Most of the vulnerabilities, in the sense 
of users being vulnerable and introducing perhaps inadvertently 
vulnerabilities, are also from the public sector. Our 
governments, not just the U.S. Government, are really smalltime 
players in a cyberspace that includes 1.5 billion users on the 
Internet alone worldwide, and it comes to ground in 200 
countries. And the only thing growing faster and that is more 
extensive are the 3 billion users of cellular telephony in the 
world. And, again, even in countries that have very weak 
private sectors, the private sectors really own and operate, 
and they may be even foreign companies.
    So what can governments do in this regard? There are 
analogies in other areas that have not been very well-pursued, 
and they have to be pursued very carefully because the 
dimensions of cyberspace and the range and number of 
stakeholders is so great and they don't share, sort of, common 
vulnerabilities or interests.
    But we have, throughout other emerging technologies that 
have caused problems from a safety and security standpoint, we 
have fairly successfully brought these things into a kind of 
satisfactory level by what might be described as required 
mandates from Government. Not strong forms of regulatory 
control, as we had, for example, when AT&T ran the national 
carrier; in fact, that is disappearing from most of the world's 
telecom. But the analogy that I like is, the carnage on 
highways has at least been partially brought into satisfactory 
levels with, if you like, required mandates for seatbelts and 
airbags.
    People came up with technologies that were clearly going to 
be useful. The private sector resisted both technologies very 
seriously. The Government and lots of private people not vested 
in the industry saw to it that some very reasonable required 
mandates were passed that smooth out the problems of 
competitive advantage by insisting that everybody have these 
things. They didn't turn out to be all that expensive. And they 
have arguably made a huge difference with regard to safety in 
the automobile world.
    We have some analogies in the telecommunications world. We 
have some, if you would like, regulations----
    Mr. Smith. I am sorry, Dr. Goodman. I wanted to get a 
couple more questions in before we buzz for our votes.
    Dr. Goodman. Oh, okay. In any case, let me make two 
comments. One is that some very thoughtful mandated 
requirements--I won't use the word ``regulation'' because it is 
usually too strong--can probably be put together to really make 
a significant difference.
    Second, with regard to getting good people in the 
Government, there is, in fact, a major NSF program, and I am 
the PI for this at Georgia Tech, called Scholarship for Service 
that attracts some very, very capable people from around the 
country, students who acquire typically a master's degree, with 
specialties in cybersecurity. And the program has created 
cybersecurity programs. And these people very willingly have to 
have at least a 2-year obligation with Government. And so far, 
most are sticking with it. It is a great way to get good people 
in Government, and it is not hard to find people who want to 
serve.
    Dr. Lewis. Can I throw in three quick words, Mr. Chairman? 
It will be real quick.
    Public-private partnership, you have got a couple of models 
you could look at. You have something that used to be called 
the National Institute for Strategic Technology Acquisition and 
Commercialization (NISTAC). It was at DOD. It is a coordination 
between the big service providers and the Government. Another 
model would be the North American Electric Reliability 
Corporation (NERC) and the Federal Energy Regulatory Commission 
(FERC), what they do with energy.
    But something you could also look at that might fall under 
this committee's jurisdiction is acquisitions. And DOD is doing 
some interesting stuff in using its acquisitions to drive 
better cybersecurity. Part of the new initiative is something 
called the Federal Desktop Core Configuration. This came out of 
Air Force, and it mandates a more secure desktop. So there are 
some areas where we have existing models that would be useful, 
some of which come out of DOD.
    Mr. Smith. Okay.
    I really have to try to move on.
    Mr. Thornberry.
    Mr. Thornberry. Mr. Chairman, I would yield to Mrs. Drake 
for any questions she may have.
    Mrs. Drake. Thank you. I will be quick so maybe we can get 
another one before we go vote.
    First of all, thank you all for being here. And I think 
this is a topic that is so timely, and you have given us a 
really good overview of it.
    My question is, what are we doing today? Is it within each 
different agency--Homeland Security, FBI, CIA, DOD, here within 
Congress? Is everybody doing their own thing? And is it all 
different? Or is this agency you talked about, Director of 
Informational Services, are they spearheading trying to bring 
it together? I mean, I know you have proposed this new group to 
do it. But what are we doing today?
    Mr. Kramer. The DHS has the lead, the Department of 
Homeland Security. And there--although it is a classified 
program, I don't want to go into it here--there has been a new 
initiative that newspapers have talked about. So I think there 
is an effort to be more combined.
    But I think the long and the short of it is that the 
agencies are not working as well together as they ought to be. 
And every year the GAO puts out a report, for example, on how 
well at least the GAO thinks that the agencies are doing in 
terms of security. And, speaking loosely, everybody fails.
    Mrs. Drake. Okay.
    Thank you, Mr. Chairman.
    Dr. Goodman. May I make a quick response to that that is in 
some ways more fundamental?
    The basic architecture and organizational and service 
structure of the Internet in particular but lots of these 
networks and cellular telephony fundamentally pushes defense to 
the end-users. And so it makes not only the kinds of 
organizations that you have in Government basically forced to 
think first and foremost of defending themselves, but it makes 
all of us--Mr. Smith mentioned that he has some problems, 
perhaps, defending his own computers. That is true of all of 
us.
    And this is fundamental in the architecture and the 
service-providing infrastructure that we have out there. 
Defense is pushed to the end-user. The end-user has to fend for 
itself, whatever organizations or people that are involved.
    And given the growing sophistication of the kinds of 
attacks and attackers that there are out there, we are all, 
including all the members of my committee, increasingly unable 
to defend ourselves against the sophisticated, innovative 
attacks that are taking place out there.
    Mrs. Drake. Dr. Lewis, did you want to comment?
    Dr. Lewis. I think the ball game has changed a lot in the 
last couple of months, and so we probably need to take a look 
at that. There is a lot more coordination.
    I would have said the Director of National Intelligence has 
a major role in this. And there has been a little bit of a turf 
fight between DOD, DNI, DHS. I think that is resolved, but I 
don't know.
    So we are better than we were would be the short answer.
    Mrs. Drake. Thank you.
    Mr. Smith. I think one of the questions I have had--we 
certainly see the threats. This all over the place. There are a 
lot of systems to protect, a lot of threats coming from a lot 
of different directions. We haven't yet here had a big 
catastrophic attack. And I think that is perhaps one of the 
things that sort of lulls us.
    Because a lot of the suggestions that you are talking about 
come into a lot of money. And I think if we are going to be 
setting up labs that are for cybersecurity, if we are going to 
be setting up a new agency, I envision something sort of like 
the National Counterterrorism Center where someone is pulling 
it all together, looking at all the threats and then working 
with DHCs, we are talking a lot of money. And if we are going 
to sell people on that, we have to get over the fact that, as 
of yet, you know, despite all the weaknesses we have talked 
about, we have not yet been severely struck.
    Am I wrong about that, first of all? And second of all, 
why? What is the answer to that, given all the vulnerabilities 
that we hear about repeatedly, not just in this hearing but 
elsewhere?
    Dr. Lewis. We are looking at the wrong things. We got off 
to a bad start 10 or 15 years ago by thinking this would be an 
electronic Pearl Harbor. So people are still looking for flames 
and buildings blowing up. That is not going to happen. It may 
happen in the future. The real crisis, though, has been the 
loss of intelligence, the loss of information, the information 
and intelligence successes. And I think we have had some major 
failures in the last year or two, even more, that I would 
qualify as creating the kind of crisis you are looking for. It 
is a different kind of Pearl Harbor, but we have had serious 
problems that we can't ignore any more on the intelligence 
side.
    Mr. Smith. Dr. Goodman.
    Dr. Goodman. A quick response to that is, ask yourself, who 
are the most capable people of benefiting from doing malicious 
things on the Net, or the Nets? And the answer is that it is 
probably, at least so far, not in their best interest to have 
caused any kind of catastrophic failure. They are doing 
extremely well, whether it is criminals, whether it is foreign 
intelligence agencies and what have you----
    Mr. Smith. Gathering information.
    Dr. Goodman [continuing]. With things the way they are, 
whether they are making money, whether they are conducting 
their own business through these networks. We have set up a 
wonderful infrastructure for them to operate in their own best 
interests, and they are doing wonderfully well out there. Why 
would any of them, at least under current kinds of conflict 
situations--maybe if there is a serious war with China or what 
have you, this could change--but why would any of them want to 
bring it down?
    Mr. Smith. The question would be al Qaeda and the 
terrorists that would want to cause us as much economic damage 
as possible, so if they could hit our network and take it down, 
causing us massive economic damage, they would want to do that, 
I would presume.
    Unfortunately, we have to go vote. And I have a heart to 
stop shortly after 5 o'clock. We have three votes. We should be 
able to be back here before 4:30. I will come right back after 
the last vote. Any other members who want to come back, I thank 
them for their patience.
    Thank you.
    [Recess]
    Mr. Smith. I think we will go ahead and get started. I 
don't know how many other members will be back this late in the 
afternoon. I have some questions, I am sure Mr. Thornberry does 
as well; so we will take a stab at that. And actually, if you 
could just identify yourself for the record, standing in for 
Dr. Goodman there.
    Mr. Lin. My name is Herb Lin, Chief Scientist from the 
Computer Science and Telecommunications Board of the National 
Research Council.
    Mr. Smith. Welcome. Thank you for joining the panel. 
Actually, I will go ahead and yield to Mr. Thornberry, if for 
no other reason than because I haven't had a chance to look 
back down at my notes.
    Mr. Thornberry. Well, I haven't found my notes. They sort 
of disappeared while we were gone. Not that they were all that 
great a thing, but--I don't know, I made several notes while we 
were going, and they seem to have disappeared.
    Let me ask this. Has any of you all's organizations looked 
at the question I think that Ms. Gillibrand asked about the 
authorities--Title 10 authorities and perhaps Title 50 and 
other things on cyber--and had any suggestions on what Congress 
ought to begin to think about when it comes to what constitutes 
an attack on our Nation; what is the proper, you know, role of 
the military, et cetera, et cetera? Has anybody gone down that 
trail yet?
    Dr. Lewis. We actually came up with a list that I can share 
with the committee of the various laws, including the laws 
covering DOD, that affected cybersecurity. It was, 
unfortunately, a long list. If I remember, we felt like we 
didn't finish it, but we had three pages, including Title 10, a 
lot of authorities. And one of the things I hope we can do is 
go through and figure out where the authorities need to be 
deconflicted.
    One the things that has come up several times in 
discussions I have had with other people is the need for some 
sort of doctrine, a cyber doctrine for the U.S. And you know, 
knowing DOD as you do, you know that there is doctrine for 
everything. We don't have a national cyber doctrine. So that 
might be a useful place to look at. But deconflicting the 
authorities is really going to be complicated because----
    Mr. Thornberry. That is the easy part, deconflicting. To 
make sure the authorities are there for the advancements, I 
think that is even harder.
    Mr. Smith. Yeah. I want to dive in there, because what is 
something that really strikes me as challenging about this from 
your testimony in the cybersecurity arena is sheer volume. You 
talk about coming up with sort of a national--I forget the word 
you used, ``strategy'' or----
    Dr. Lewis. Strategy.
    Mr. Smith. It was something you had just said a moment ago. 
And I guess the problem I have with that is, you know, there 
are so many systems out there that are different. And also the 
talents of the people that you have working on those systems 
are different. And how you are going to set up your network is 
going to have to match both; both the talents and the relative 
technology IQ, if you will, of the people working there and the 
systems.
    I mean, are we in a situation in cybersecurity where it 
sort of defies an overarching plan and a centralization? And 
you can correct me if I am wrong here, but I am thinking in a 
National Counterterrorism Center sort of model where we had all 
these organizations engaged in counterterrorism and 
intelligence gathering, but there was a concern about 
stovepiping and no sort of comprehensive strategy. Well, once 
al Qaeda emerged as a central threat it is like, okay, anybody 
affiliated with them, we are tracking those targets, we can put 
the National Counter Terrorism Center (NCTC) up top, have them 
keep track of that stuff, and it has worked reasonably well.
    I just wonder in the cyber arena is there just such a sheer 
volume of vulnerabilities and areas here that it defies that 
sort of central coordination?
    Dr. Lewis. What I have thought in the past, speaking for 
myself now, is there is this, you know, huge profusion of 
different networks, different technologies, different actors. 
You can do a couple things, though. The first is there are some 
networks that are more important than others--and you heard 
that, I think, in Mr. Kramer's testimony--the financial 
network, the telecom network, the electrical grid; maybe the 
fuel supply, the Petroleum Oil Luricants (POL) pipeline, 
government services like DOD. So you can narrow it down and say 
if those networks continue to operate, we will be able to 
continue to function as an economy and our military 
capabilities won't be badly damaged. So focusing in on key 
networks would be a good first step.
    The second part is, you know, I do think you can come up 
with a strategy. The strategy has to be linked. And I think 
that was implicit in all our remarks. It has to be linked to 
some new organization. And the stovepiping problem, you are 
very familiar with it from DOD. This is why we had the 
Department of Defense and then why we had Goldwater-Nichols, 
and now we have tried it with DHS to break stovepipes, put them 
all in one place. Tried it with the Director of National 
Intelligence (DNI). So you can rate the effectiveness of those 
attempts differently, but I think we need to make a similar 
kind of attempt for cybersecurity. How do we get people to 
work, you know, across agency boundaries, and whether that is a 
Cabinet office or something else?
    Mr. Smith. Mr. Kramer, you are shaking your head as he is 
speaking.
    Mr. Kramer. Going to the Title 10, Title 50, I mean I dealt 
with that, so to speak, in real life when I was in the 
government. I think on that there have been some advances. And 
you are going to have--presumably you are going to have 
classified hearings, or have had classified hearings, and that 
will come right up.
    But there are efforts, substantial efforts to deal with 
that issue. But I do think, I do think we have made progress in 
terms of what I am going to call--I keep calling it classic 
security, you know, the defensive side of security, the new 
initiative. Again, you are going to have hearings on these, I 
presume.
    One thing I think that would make a big difference which 
would help is if a lot of aspects of cyber were either 
declassified or substantially reduced in classification. This 
is an area in which I think it is wildly overclassified. And if 
one compares cyber to electronic warfare, which is not all that 
different, but cyber is normally way up here in classification, 
electronic warfare has some programs that are up there, but a 
lot that are just sort of what I call secret level classified, 
and a lot of principles and the like that are not actually 
classified at all, and it makes it a lot easier to integrate 
that both into military operations and to have people talk 
about it.
    So again, something I would encourage the committee to look 
at, and you know, obviously, the Vice Chairman, for example, 
the current Vice Chairman is obviously very interested in this 
issue, and he is someone who I have talked to about the 
classification issue, and I would encourage you to do it.
    Mr. Smith. Okay.
    Mr. Thornberry. I wanted to ask the two of you all, I 
thought Mr. Kramer's differentiation of the networks that are 
most valuable, where the government has a responsibility to 
actively defend versus a lesser network where the government 
has less, versus--makes some sense to me. And I think, Dr. 
Lewis, you implied in your last answer that probably that does.
    But I want--you know, you always hear whatever it is, 94 
percent of the network is in private hands. That doesn't mean 
all 94 percent is of equal value to the security of the Nation, 
which is where we are coming from here. But I wonder if you 
agreed with that idea of having tiers and different levels of 
responsibility for those tiers.
    Dr. Lewis. Well, the tiered idea makes a lot of sense 
because there are some things that--you know, the electrical 
network is the best example. If the electricity goes off, 
nothing works. So we have a responsibility, the government has 
a responsibility to ensure that it continues to supply power.
    What the complicated part is that there are so many 
different agencies that currently have some piece of making 
sure the electrical power grid continues to deliver. You have 
got the Department of Energy, you have got the Nuclear 
Regulatory Commission, you have got the State commissions. You 
get into a very complicated--you have got DHS to some extent--
complicated situation where each of them say, You should do 
something. They don't always say the same thing.
    There are a few other networks, you know, financial, where 
you know you have multiple regulators. So that is one of the 
issues for us is multiple laws, multiple requirements, multiple 
regulators for these few crucial networks. And working through 
that is going to be very difficult.
    Mr. Lin. I think from the perspective of the National 
Research Council (NRC) report, we say that it is really hard to 
make--although the separation into tiers of different 
responsibilities may make some conceptual sense--it is hard to 
make that separation operationally. I mean you know, my dad's 
personal computer is on a public--you know, is connected to an 
Internet service provider that will be used in a botnet attack 
against something critical. And so being able to separate them 
cleanly is kind of a problem.
    Mr. Thornberry. Yeah. And I guess, Mr. Chairman, that leads 
me to the other part of this. I think you have each in the 
testimony talked about the international--need to have 
international. So does that mean--because it is hard to 
separate, particularly with the Internet, does that mean we are 
put in a position of defending the whole global Internet? How 
does geography interface with this need to have greater 
international cooperation?
    Mr. Kramer. Can I jump in on this? I think one of the 
things I think is really important is to recognize that just 
because we can't do everything doesn't mean we can't do some 
things, and also that this is going to be an incremental-type 
approach of improvement. We built the Internet. And again I 
want to say it is not just the Internet. It is networks, if you 
want to call it that. Cell phones and the like are very 
important in some countries. We didn't build them thinking 
about vulnerability. We built them thinking about 
functionality. And now we are sort of trying to redo it.
    There are some ways to make improvements. And again, I 
happen to use the environmental laws notion as an analogy. That 
is to say in 1970 we didn't have pretty much anything. By 1985 
we had had a lot, and it worked all right.
    The NRC used the example of, you know, required mandates. I 
think there is a lot that can be done. And when you go over to 
the international arena, the more that you can bring in other 
countries, the more opportunities you have. But it certainly is 
not the case that you are going to get a perfect world. But you 
could do things like, for example, limit down the number of 
gateways or put Supervisory Control and Data Acquisition 
(SCADA) systems on a different kind of--I am going to call it 
computer, so to speak, network or router or the like. You could 
do a lot.
    Mr. Thornberry. Things that would not compromise 
technology.
    Mr. Kramer. Right. In fact, you can use some advanced 
technologies to do different things. But one of the problems I 
think that conceptually occurs is people recognize that there 
are so many problems that they sort of in a certain sense throw 
up their hands. I think everyone agrees there are a lot of 
problems. So the issue is okay, you know, let's take the first 
step.
    Mr. Smith. We talked a little bit how to coordinate this 
and the different ways to do that and get the stovepiping 
issue. And I don't think any of you had recommended, you know, 
the creation of a new cybersecurity agency. I think you talked 
about creating national laboratories that focused on 
cybersecurity, which I think makes a great deal of sense.
    So you are satisfied that, you know, basically using United 
States Strategic Command (STRATCOM) as sort of the center right 
now, and then coordinating out from there, that we don't need 
some new bureaucracy; we just need to work within the ones we 
have, better.
    Dr. Lewis. Well, I have thought about this a little bit. 
And first of all, I don't think we need to go back to a czar. I 
usually don't think the word ``czar'' is in the Constitution.
    Mr. Smith. Right. Bad rep at this point, too.
    Dr. Lewis. That's right. This is a real national security 
problem now. It is not a boutique issue. For me that means it 
should be in the National Security Council (NSC). And so we 
need a senior director, we need an office, we need somebody who 
can provide the same sort of coordination we have for 
intelligence or military matters or proliferation. That would 
be one solution.
    Mr. Smith. And you think NSC is a better place than DOD?
    Dr. Lewis. I do. Because you have at least seven agencies 
that think they own the majority of this problem: DHS, Energy 
is involved, Justice, FBI. Who else has the power to 
coordinate? DOD? I think it has to be at the White House.
    Mr. Kramer. Can I just--I did recommend a new organization. 
And I said it as an analog to the Council of Economic Advisers. 
You happened to use the NCTC example. Could be that. That is a 
little bit more implementing. The reason I didn't put it in my 
head in the NSC is because I think cyber is bigger than 
security, and certainly bigger than security from the defensive 
side.
    There is a huge aspect of cyber with respect to influence, 
a huge aspect of cyber using it for, say, enhancing stability 
operations, a positive side. There are just the issues of net 
neutrality, pure technology, and the like.
    So you could have--you know, exactly where the agency goes, 
I don't want to get all bent out of shape over that. But the 
reason I suggested a cyber council as opposed to just putting 
it in the NSC is because we should deal with all these issues' 
breakdown, but the impact has to be the same.
    With respect to the DOD itself, I mean the DOD's 
reorganized on cyber and STRATCOM itself about three times in 
the last 2 years. So they are working hard. I would encourage 
the committee to keep talking to them a lot, because I don't 
think they even think they have the right answers yet, but they 
are trying to find them.
    The new cyber command for the Air Force, how does that 
relate to STRATCOM, which is a combatant command? Not clear. 
What is the Army's role, the Navy's role, the Marines' role? 
Not clear. Everyone is working hard, but I think there is a lot 
to be talked about with the committee.
    Dr. Lewis. The reason I thought the NSC was better is 
because when you create some of these new bodies--this is a 
debate we need to have--they end up being peripheral, they end 
up being sidelined. They end up being--you know, the drug czar, 
you know, and the offices over there on----
    Mr. Smith. They end up being another stovepipe basically as 
opposed to a coordinator, except in rare situations. And that 
is why I keep coming back to----
    Mr. Kramer. The point is well taken. I think this is one of 
these issues that should be talked out. But there is no--if we 
created a better overall office in the NSC as opposed to the 
Kramer suggestion about the cyber council, I would be very 
happy.
    Mr. Smith. And again, it is a major challenge, because if 
you are looking at the counterterrorism threat or--I forget the 
organization you mentioned earlier--it is more narrow in scope. 
Every single department of the government at every single level 
has multiple networks and goes into the big broad Internet as 
well. So there is, you know, really no way to sort of round 
them all up and put them under one umbrella. There has to be, I 
would think, a certain strategy that takes into account the 
autonomy that is going to come with that and try to have people 
work within their own framework. That is all I have got.
    Mr. Thornberry.
    Mr. Thornberry. This is the unanswerable question, I guess. 
But the thing I am struggling most with cyber is how fast it 
changes. I think every morning when I turn on my computer I get 
a new virus update. Just pretty much every day. When you look 
at charts of changing and computing power, you know, those are 
steep lines. And what I grapple with is how in the world can a 
giant bureaucracy as cumbersome and stovepiped as it is, even 
if there are improvements made, keep up with that level of 
change?
    In cyber you don't really even have time for human 
intervention in carrying out operations at least. Things move 
so quickly. And it just seems to me one of the challenges we 
face is how to make this agile and adaptable at the appropriate 
pace. I don't know if that is a question or a concern. But 
government is not that way, anyway. And how we do that in this 
field may be one of our biggest challenges.
    If you all have suggestions on how to do it, I would love 
to hear them.
    Mr. Lin. In the National Research Council (NRC) report we 
basically took that one on and said that top-down priority 
setting isn't going to work in this area, at least in the 
research domain. And we thought that there had to be some 
priority setting, but it ought to be done by the people who 
were closest to the technical understanding of the threat; that 
is, the program managers and the like. We just didn't see any 
way that a top-down organization could meaningfully set 
priorities here that wouldn't be overtaken in months.
    Mr. Kramer. You know, one of the things, to take an analogy 
and go to the financial structures, we have an enormously 
adaptive financial set of markets--not doing so well this past 
couple of weeks, but in general really enormously adaptive and 
flexible. And yet they do have regulation. And maybe they need 
more and maybe they don't. I don't know. That is one of the 
questions you all will be debating.
    But we were able to create some useful regulation, FDIC, 
Fed, SEC, et cetera, even though the specifics of how the 
operation runs is, I am going to call it ``distributed.'' In 
that case it is the market. But nonetheless. So I think it is 
possible to create some central vision and direction, and then 
distribute out the capacities.
    So, for example, on the particulars of what is the best 
research in a particular area, I am sure Dr. Lin knows a lot 
more than I do and so, you know, he is probably right. But I am 
pretty doubtful that any particular set of scientists would be 
able, better than a set of policymakers, to step back and say 
what are the biggest issues that we are facing as policymakers? 
So you are going to need to integrate the two is, I guess, what 
I would say.
    Mr. Smith. I was going to ask a question about the money 
side of this. As I mentioned earlier, a lot of these things, 
certainly setting up laboratories and implementing some of 
these programs--and even recruiting, you know, better talent--
pay is certainly going to be a factor, not the only factor, but 
one. But within our given systems, then, do you see 
opportunities where, without increasing the budgets, we could 
move the money around and get more for the money we are already 
spending? I ask that for obvious reasons, because those are 
policy changes we can make as opposed to, gosh, if you gave us 
$10 billion we could do a lot more. And I am sure that is true. 
But we have a real tight budget situation.
    Mr. Kramer. You know, one of the questions is which kinds 
of money are you giving me to move around? In other words, is 
it just cyber money we are moving around or is it other money? 
Because one of the questions you will want to ask yourself----
    Mr. Smith. Either one is fine.
    Mr. Kramer. I suspect that within the overall amounts of 
money that are available for national security, we could create 
a--we could and I would say we should create a somewhat higher 
priority on various aspects of cyber. Again not just--for my 
money, not just the technical sides of security, although I 
think that is important, but also some of the organizational--
some of the people and the like that we have talked about. And 
sure, there is no free lunch; $10 billion is just not 
automatically available. I understand the committee doesn't 
have it, and so we really do have to do trade-offs.
    Dr. Lewis. We need to start reprioritizing how we look at 
threats. And though there are some threats, and I won't say 
which ones, that maybe were important 20 years ago, 15 years 
ago, and we now would have to say maybe cyber is a more 
important priority and maybe money should flow from older 
programs to cyber. And that is always a painful decision. But 
if you look at the size of the Defense budget and if you look 
at the size of the Intelligence budget, you ought to be able to 
scrape up--one should be able to scrape up more money for these 
kind of activities.
    And I think it is getting people to realize there is a real 
threat, there has been real damage, and we need to do a little 
more. To their credit, the Administration is trying to do that. 
And I think, you know, you can get a classified briefing on 
their money. I think it was a 12 percent increase for 
cybersecurity this year, 12 or 15. And that is good. But it 
just--one year is not enough. So where would you take this 
from?
    Mr. Smith. And we are actually--I think we are getting a 
classified briefing tomorrow morning at 8:45. I forget; who is 
that, DOD?
    Mr. Lin. There is one other possible shifting that you 
could do, which is that if you look at the amounts devoted to 
research, and Dr. Kramer mentioned it earlier, about the size 
of the DHS budget for R&D, if you look at the amounts devoted 
to patching systems versus the amounts devoted to research, 
that is way, way, way out-balanced. Lots more, lots more on the 
patching systems side and very little on the research side.
    Mr. Smith. Right.
    Dr. Lewis. What you might hear tomorrow, too, is the Air 
Force in particular--I think it was a guy named John Gilligan 
who used to be the Chief Information Officer (CIO), realized he 
was spending a lot of money on patching--came up with this 
idea, what they now call the Federal desktop core configuration 
that cut his costs on the patching side. And so one thing we 
can ask is--that was just for one, that was for operating 
systems. There are probably other opportunities to move out of 
the Band-Aid approach to a more strategic direction. And that 
is where you could get a little more money.
    Mr. Smith. Absolutely. Well, thank you all very much for 
your testimony. Sorry about the interruption. I appreciate the 
information, and look forward to continuing to work with all of 
you. This is certainly going to be a major focus of our 
committee. It was last year. And we will look for any ideas and 
any ways to improve our cybersecurity approach. Thank you for 
the information.
    [Whereupon, at 4:55 p.m., the subcommittee was adjourned.]
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                    QUESTIONS SUBMITTED BY MR. SMITH

    Mr. Smith. Are there areas in which you believe the government is 
underinvested that should be enhanced (or, conversely, where there is 
too much investment and the areas can be deemphasized)?
    Mr. Kramer. I believe the government could usefully increase 
investment in four areas--people; establishment of cyber laboratories; 
enhanced research and development; and development and support of 
infrastructure protection.
    People--As I stated in my testimony, ``teachers at all levels in 
the science, technology, engineering and mathematics fields need to be 
recruited and rewarded on a continuous basis; and a steady pipeline of 
students who will work such scientific and technological problems for 
their productive careers needs to be maintained.'' The federal 
government could support those efforts by a variety of incentives, 
grants, and scholarships, among other approaches.
    In addition, I recommend that the Congress evaluate whether 
creating a ``cyber corps'' of high level professionals would be 
valuable. There are many dedicated cyber professionals already working 
for the government, so establishing a cyber corps should not be done 
without appropriate analysis--but a group that had the capacity to work 
across agency lines might have high value.
    Cyber laboratories--As I stated in my testimony, ``The United 
States has traditionally relied on specialized government laboratories 
to complement private industry efforts to accomplish key national 
security goals. That has been true in both the nuclear and energy 
areas. But, in the cyber arena, no such structures have been developed, 
and governmental efforts are limited. For example, the Department of 
Homeland security cyber research and development budget for FY 2007 was 
less than $50 million. Similarly, as the Vice-Chairman of the Joint 
chiefs of Staff has stated, ``We as a nation don't have a national lab 
structure associated with [cyber] so we aren't growing the intellectual 
capital we need to . . . at the rate we need to be doing.'' In short, 
there is ``not sufficient fundamental research and development activity 
through the combined efforts of the public and private sectors to 
ensure the United States continues to develop its cyber leadership 
capabilities. . . . The government can, of course, rely in part on the 
private sector for such R&D, as it does in other national security 
areas. However, creation of government cyber laboratories will estalish 
the ability to delve deeply into key questions under government control 
in a way that cannot always be accomplished through the contracting 
process.''
    Enhanced research and development--In addition to government cyber 
laboratories, there would be great benefit in increasing overall 
research and development funding by the federal government. As I said 
in my testimony, ``I do recognize that the private sector conducts 
significant and highly valuable cyber research. The private sector, 
however, is understandably motivated significantly by the profit 
motive, and there are issues that government needs to address because 
the appropriate level of effort will not be generated through market 
activity alone. The government can, of course, rely in part on the 
private sector for such R&D, as it does in other national security 
areas.'' Accordingly, I recommend, as I said previously, ``very 
significantly increasing RUD funding for governmental agencies; and 
enhancing private sector activities through direct contracts and 
incentives.'' Undertaking such actions would significantly increase the 
medium and long-term capacities of the United States. At a time when 
other countries are advertently adding to their cyber capacities and 
placing them in direct competition with those of the United States, it 
is critically important to respond to such challenges.
    Development and support of infrastructure protection--Cyber 
capabilities are vulnerable both because of security issues in the 
cyber arena itself and because of the vulnerability of the electrical 
grid. On the latter issue, the Defense Science Board has issued a 
recent report which underscores that vulnerability--but this is only 
one of very many such analyses. In my opinion, significant efforts 
should be undertaken to make the electrical grid less vulnerable, both 
from physical and cyber attack. One area of focus should be whether 
SCADA systems should utilize the standard Internet protocols, which 
make them vulnerable to numerous viruses and other forms of attack. As 
I stated in my testimony, ``Taking down the electric grid for a day 
would be high cost and arguably not acceptable, but taking it down for 
a year would be catastrophic beyond question.''
    More generally, whether through government laboratories, increased 
R&D spending or otherwise, investments in network system architectures 
that are less vulnerable to potential attack means and better methods 
of attack attribution would have high potential value.
    Mr. Smith. 2) Do you have any recommendations about how the USG 
should quantify the costs or economic impacts of a cyber attack?
    Mr. Kramer. The consequences of a cyber attack--depending on its 
nature--could include economic, governance, and social impacts. 
Economic impacts can be quantified in the same way other significant 
disruptive factors, such as hurricanes, are quantified. While cyber 
generally will not have physical consequences, it will have business 
disruption consequences, and such consequences are often calculated at 
both the micro and macro levels.
    I understand that there are several organizations that are 
developing tools to estimate the costs of such attacks. While I do not 
have personal experience with them, they include the US Cyber 
Consequences Unit (a private 501(c)(3) organization), the University of 
Virginia Center for Risk Analysis, and the National Infrastructure 
Simulation and Analysis Center which operates under the direction of 
the Department of Homeland Security (DHS), Office of Infrastructure 
Protection (IP), Infrastructure Analysis and Strategy Division (IASD), 
and includes analytical staff at Sandia National Laboratories and Los 
Alamos National Laboratory in New Mexico.
    It is important not to limit the analysis of the consequences of a 
cyber attack to the economic. The attacks in Estonia show that 
governmental functions can be significantly disrupted, which would be 
of high consequence to the American public. Similarly, societal 
functioning increasingly relies on cyber--for example, telephone via 
voice-over-IP--and cyber attacks could be highly consequential.
    Mr. Smith. 3) What sort of technology might the government be able 
to pursue to help enhance privacy protections without jeopardizing 
security?
    Mr. Kramer. The challenge is to harmonize security and privacy 
considerations. Unfortunately, privacy needs can come into conflict 
with the need for attribution of cyber attack activities. But, an 
appropriate balance may be reachable, particularly with technologies 
that are collectively referred to as ``traffic flow analysis'' tools. 
It is very important for the Congress to thoroughly analyze such issues 
to determine how such a balance should be struck and what protections 
should be required.
    I do not have technical expertise, but it is my understanding that 
the traffic flow analysis tools do not look at packet contents, but 
instead focus on header information to determine the source and 
destinations of groups of packets. By looking for anomalies in this 
traffic information, sensors can detect both large-scale attacks, as 
well as subtle outliers that may indicate a fine-tuned attack. By 
subtracting nonnal, expected traffic patterns from the actual traffic 
on the network, such tools can highlight specific traffic flows and 
packets that may require more analysis. The traffic flow analysis 
itself is not looking at message content, as it relies on information 
that ISPs themselves use to route packets through their networks--
though it does review some information and would still need to be under 
appropriate procedures. Once anomalies are identified, suitable 
procedures and/or court review could be established to zoom into the 
payload (i.e., non-header) parts of packets to discern the details of 
subtle, outlier attacks, while still maintaining privacy of those users 
whose packets are not included in the anomalous set. It is important to 
recognize that I am only recommending reviewing the potential of a 
general approach, and the specifics would need to be critically 
evaluated and highly important. Any such activities should be according 
to a framework and rules set by the Congress working in conjunction 
with the Executive Branch.
    Mr. Smith. 4) What sorts of actions can the government take to help 
create incentives for developing/adopting/deploying security 
technologies?
    Mr. Kramer. In addition to the research and development activities 
discussed above, the government can take regulatory and direct support 
actions and can provide incentive support related to the adoption and 
deployment of security technologies.
    As I stated in my testimony, ``a differentiation should be made 
among `indispensable,' `key' and `other' cyber capacities. 
`Indispensable' cyber would include critical military and intelligence 
capacities, and other capacities that the nation simply could not 
afford to lose for even a short period of time. `Key' would include 
critical functionalities that could not be lost for any length of time, 
but for which short-term work-arounds might be available, or 
functionalities whose exploitation (as opposed to loss) by adverse 
parties would have consequential effects for the nation. Included in 
this category might be the electric grid and certain critical financial 
networks (although a determination would have to be made whether they 
need to be in the first `indispensable' category), as well as 
capacities such as the defense industry which is necessary for key work 
for military and intelligence functions. `Other' would include the 
great bulk of cyber, but, as described below, that categorization could 
still involve a higher degree of security requirements.''
    Based on that differentiation, ``for each of the three categories, 
appropriate security measures would be required or encouraged, some 
measures to be undertaken by the government. For the `indispensable' 
category, the government would provide security, including such 
activities as monitoring for attacks, providing protection, and 
generating responses as appropriate, including the possibility of 
reconstitution or the establishment of redundancy. For the `key' cyber, 
the government could require certain levels of security protection, and 
could provide part, including the possibility of, for example, 
monitoring, response, and support. For the `other' category, the 
government could require and/or encourage security through regulation, 
incentives, information, and coordination, such as working more closely 
with software vendors. In this necessarily large, last group, 
differentiations could be made among types of businesses (e.g., large 
and small) and among nature of user.''
    I think it is important to recognize that the ``cyber security 
situation currently faced by the United States is not unlike the early 
days of recognizing the issue of environmental protection. Affirmative 
action by the federal government was required--as by the Clean Air and 
the Clean Water Acts--and a level playing field had to be maintained to 
be fair to industry. A comparable effort is now required for cyber. 
However, in the cyber world, the situation is even more complicated--
any security program immediately presents extremely important and 
challenging privacy and civil liberties questions. Such issues must be 
directly faced, and a full dialogue undertaken with the American 
people.''
    For these reasons, it is extremely important that a `` 
`differentiated security' program ought to result only from joint full 
consideration by the Executive Branch and the Congress working together 
to create a full review. Hearings should take place with Executive 
Branch, industry, and individual participation. From such an effort a 
framework can be created for appropriate regulatory establishment of 
security arrangements including appropriate allocation and/or sharing 
of costs, and the protection of privacy and civil liberties. This 
effort should be given high priority by the Executive and the 
Congress.''
    Mr. Smith. 5) What lessons should we learn from the recent attacks 
against Estonian networks?
    Mr. Kramer. The lessons learned can be divided into the immediately 
derivative and longer-term:

    Immediate

    - Large-scale packet floods can be effective in shutting down e-
commerce, electronic banking, and e-government sites for a period of 24 
to 72 hours.

    - Attribution can be exceedingly difficult in the cyber world.

    - A distributed, world-wide cyber attack can be launched, possibly 
with limited or no central overt government command and control.

    - Communities of defenders can work together to help respond to an 
attack more effectively than they can when working alone. But, such 
defenders often work best when they are located together 
geographically. That is, despite the distributed nature of cyber space, 
defenders at this level may need to be deployed on very short notice to 
arbitrary points around the world to help respond to an attack, not 
unlike the need for rapid-response and deployment of military forces.

    Long-term

    --As discussed above, certain critical networks may best be created 
on non-Internet protocols in order to give greater protection. Overall, 
the issue of building resiliency into networks needs greater 
consideration.

    --International support needs to be established on a more formal 
and thorough basis. Both civilian and military partnerships need to be 
created and/or enhanced in order to be able to deal with such attacks.

    --The problems of attribution need a much more directed analysis.

    --An international regime that organizes and protects international 
networks need to be established.

    --The policies relating to international responses to attacks 
should be developed.

    Mr. Smith.  Are there areas in which you believe the government is 
underinvested that should be enhanced (or conversely, where there is 
too much investment and the areas can be deemphasized)?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. Do you have any recommendations about how the USG should 
quantify the costs or economic impacts of a cyber attack?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What kinds of technology might the government be able to 
pursue to enhance privacy protections without jeopardizing security?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What sorts of actions can the government take to help 
create incentives for developing/adopting/deploying security 
technologies?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What lessons should we learn from the recent attacks 
against Estonian networks?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. How do current software practices contribute to or 
hinder cybersecurity efforts? Are there changes to software engineering 
curricula at the universities that you might recommend?
    Dr. Goodman. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. Are there areas in which you believe the government is 
underinvested that should be enhanced (or conversely, where there is 
too much investment and the areas can be deemphasized)?
    Dr. Lewis. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. Do you have any recommendations about how the USG should 
quantify the costs or economic impacts of a cyber attack?
    Dr. Lewis. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What kinds of technology might the government be able to 
pursue to enhance privacy protections without jeopardizing security?
    Dr. Lewis. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What sorts of actions can the government take to help 
create incentives for developing/adopting/deploying security 
technologies?
    Dr. Lewis. [The information referred to was not available at the 
time of printing.]
    Mr. Smith. What lessons should we learn from the recent attacks 
against Estonian networks?
    Dr. Lewis. [The information referred to was not available at the 
time of printing.]

                                  

